Quick reference for building LDAP search filters.
---
title: LDAP Search Filter Cheatsheet
author: Jon LaBelle
date: January 4, 2021
source: https://jonlabelle.com/snippets/view/markdown/ldap-search-filter-cheatsheet
notoc: true
---
A comprehensive reference for constructing LDAP search filters, with practical examples for common queries.
- [Filter operators](#filter-operators)
- [Comparison operators](#comparison-operators)
- [Combination operators](#combination-operators)
- [Special Characters](#special-characters)
- [objectCategory and objectClass](#objectcategory-and-objectclass)
- [Filter basics](#filter-basics)
- [To match a single attribute](#to-match-a-single-attribute)
- [To match two attributes (and)](#to-match-two-attributes-and)
- [To match two attributes (or)](#to-match-two-attributes-or)
- [To match three attributes (and)](#to-match-three-attributes-and)
- [To match three attributes (or)](#to-match-three-attributes-or)
- [To perform a wildcard search](#to-perform-a-wildcard-search)
- [Sample filters](#sample-filters)
- [Users in group](#users-in-group)
- [Users in group (include nested)](#users-in-group-include-nested)
- [Users in multiple groups](#users-in-multiple-groups)
- [Users that must change their password at next logon](#users-that-must-change-their-password-at-next-logon)
- [Users starting with a particular name](#users-starting-with-a-particular-name)
- [Users by job title](#users-by-job-title)
- [Active Directory filters](#active-directory-filters)
- [Domain and Enterprise Admins](#domain-and-enterprise-admins)
- [All users except blocked](#all-users-except-blocked)
- [Disabled user accounts](#disabled-user-accounts)
- [Users with password never expires enabled](#users-with-password-never-expires-enabled)
- [Users with empty email](#users-with-empty-email)
- [Users in department](#users-in-department)
- [Exclude disabled users](#exclude-disabled-users)
- [Additional useful filters](#additional-useful-filters)
- [Computer accounts](#computer-accounts)
- [Service accounts](#service-accounts)
- [Groups with specific attributes](#groups-with-specific-attributes)
- [Objects modified within timeframe](#objects-modified-within-timeframe)
- [Users by location](#users-by-location)
- [Empty organizational units](#empty-organizational-units)
- [References](#references)
- [Additional Resources](#additional-resources)
## Filter operators
### Comparison operators
The following comparison operators can be used in a filter:
| Operator | Meaning |
| -------- | ------------------------ |
| `=` | Equality |
| `>=` | Greater than or equal to |
| `<=` | Less than or equal to |
| `~=` | Approximately equal to |
For example, the following filter returns all objects with _cn_ (common name) attribute value _Jon_:
```plaintext
(cn=Jon)
```
### Combination operators
Filters can be combined using boolean operators when there are multiple search conditions:
| Operator | Description |
| -------- | ---------------------------------------- |
| `&` | AND — all conditions must be met |
| `\|` | OR — any number of conditions can be met |
| `!` | NOT — the condition must not be met |
For example, to select objects with _cn_ equal to _Jon_ and _sn_ (surname/last name) equal to _Brian_:
```plaintext
(&(cn=Jon)(sn=Brian))
```
### Special Characters
The LDAP filter specification assigns special meaning to the following characters:
| Character | Hex Representation |
| --------- | ------------------ |
| `*` | `\2A` |
| `(` | `\28` |
| `)` | `\29` |
| `\` | `\5C` |
| `Nul` | `\00` |
For example, to find all objects where the common name is `James Jim*) Smith`, the LDAP filter would be:
```plaintext
(cn=James Jim\2A\29 Smith)
```
## objectCategory and objectClass
| objectCategory | objectClass | Result |
| -------------------- | -------------------- | ------------------------- |
| person | user | user objects |
| person | n/a | user and contact objects |
| person | contact | contact objects |
| user | n/a | user and computer objects |
| computer | n/a | computer objects |
| contact | n/a | contact objects |
| group | n/a | group objects |
| n/a | group | group objects |
| person | organizationalPerson | user and contact objects |
| organizationalPerson | n/a | user and contact objects |
> **Use objectCategory instead of objectClass in your filters.**
>
> `objectCategory` is faster because it's single-valued and indexed. `objectClass` is multi-valued and typically not indexed, making queries slower.
## Filter basics
### To match a single attribute
```plaintext
(sAMAccountName=SomeAccountName)
```
### To match two attributes (and)
```plaintext
(&(objectClass=person)(objectClass=user))
```
### To match two attributes (or)
```plaintext
(|(objectClass=person)(objectClass=user))
```
### To match three attributes (and)
```plaintext
(&(objectClass=user)(objectClass=top)(objectClass=person))
```
### To match three attributes (or)
```plaintext
(|(objectClass=user)(objectClass=top)(objectClass=person))
```
### To perform a wildcard search
```plaintext
(&(objectClass=user)(cn=*Marketing*))
```
## Sample filters
### Users in group
To retrieve user account names (`sAMAccountName`) that are a member of a particular group (`SomeGroupName`):
```plaintext
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=SomeGroupName,ou=users,dc=company,dc=com))
```
### Users in group (include nested)
To retrieve user account names (`sAMAccountName`), and nested user account names that are a member of a particular group (`SomeGroupName`):
```plaintext
(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=SomeGroupName,ou=users,dc=company,dc=com))
```
### Users in multiple groups
To retrieve user account names (`sAMAccountName`) that are a member of any of the 4 groups (`fire`, `wind`, `water`, `heart`):
```plaintext
(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=fire,ou=users,dc=company,dc=com)(memberOf=cn=wind,ou=users,dc=company,dc=com)(memberOf=cn=water,ou=users,dc=company,dc=com)(memberOf=cn=heart,ou=users,dc=company,dc=com)))
```
### Users that must change their password at next logon
To search Active Directory for users that must change their password at next logon:
```plaintext
(&(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
```
### Users starting with a particular name
To search _user_ objects that start with Common Name _Brian_ (`cn=Brian*`):
```plaintext
(&(objectClass=user)(cn=Brian*))
```
### Users by job title
To find all users with a job title starting with _Manager_ (`Title=Manager*`):
```plaintext
(&(objectCategory=person)(objectClass=user)(Title=Manager*))
```
## Active Directory filters
Search filters supported only by Microsoft Active Directory.
### Domain and Enterprise Admins
To search for administrators in groups Domain Admins, Enterprise Admins:
```plaintext
(&(objectClass=user)(objectCategory=Person)(adminCount=1))
```
### All users except blocked
To search all users except for blocked ones:
```plaintext
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
```
### Disabled user accounts
To list only disabled user accounts:
```plaintext
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
```
### Users with password never expires enabled
```plaintext
(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
```
### Users with empty email
```plaintext
(&(objectCategory=person)(!(mail=*)))
```
### Users in department
To search users in a particular department:
```plaintext
(&(objectCategory=person)(objectClass=user)(department=Sales))
```
### Exclude disabled users
To find a user (`sAMAccountName=username`) that isn't disabled:
```plaintext
(&(objectCategory=person)(objectClass=user)(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=username))
```
- The filter `(sAMAccountType=805306368)` on user objects is more efficient, but is harder to remember.
- The filter `(!(userAccountControl:1.2.840.113556.1.4.803:=2))` excludes disabled user objects.
## Additional useful filters
### Computer accounts
To find all computer accounts in Active Directory:
```plaintext
(objectCategory=computer)
```
To find computer accounts that are not disabled:
```plaintext
(&(objectCategory=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
```
### Service accounts
To find service accounts (accounts with Service Principal Names):
```plaintext
(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))
```
To find accounts used as service accounts that don't require Kerberos pre-authentication:
```plaintext
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
```
### Groups with specific attributes
To find all security groups:
```plaintext
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))
```
To find all distribution groups:
```plaintext
(&(objectCategory=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
```
To find empty groups (no members):
```plaintext
(&(objectCategory=group)(!(member=*)))
```
### Objects modified within timeframe
To find objects modified after a specific date (uses generalized time format):
```plaintext
(whenChanged>=20240101000000.0Z)
```
To find objects created within the last 30 days (approximate):
```plaintext
(whenCreated>=20240715000000.0Z)
```
### Users by location
To find users in a specific city:
```plaintext
(&(objectCategory=person)(objectClass=user)(l=New York))
```
To find users in a specific state/province:
```plaintext
(&(objectCategory=person)(objectClass=user)(st=California))
```
To find users in a specific country:
```plaintext
(&(objectCategory=person)(objectClass=user)(co=United States))
```
### Empty organizational units
To find organizational units with no child objects:
```plaintext
(&(objectCategory=organizationalUnit)(!(ou=*)))
```
## References
- [Atlassian Support: How to write LDAP search filters](https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html)
- [TheITBros.com: Active Directory LDAP Query Examples](https://theitbros.com/ldap-query-examples-active-directory/)
- [Active Directory: LDAP Syntax Filters](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)
## Additional Resources
- [Active Directory Glossary](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx) - This is a glossary of terms and acronyms used in Active Directory and related technologies.
- [Microsoft Docs: Active Directory Schema (AD Schema) Definitions](https://docs.microsoft.com/en-us/windows/win32/adschema/active-directory-schema) - Formal definitions of every attribute that can exist in an Active Directory object.